|Author||Vitalik Buterin, Christian Reitwiessner|
Table of Contents
To increase smart contract security, this proposal adds a new opcode that can be used to call another contract (or itself) while disallowing any modifications to the state during the call (and its subcalls, if present).
This proposal adds a new opcode that can be used to call another contract (or itself) while disallowing any modifications to the state during the call (and its subcalls, if present). Any opcode that attempts to perform such a modification (see below for details) will result in an exception instead of performing the modification.
Currently, there is no restriction about what a called contract can do, as long as the computation can be performed with the amount of gas provided. This poses certain difficulties about smart contract engineers; after a regular call, unless you know the called contract, you cannot make any assumptions about the state of the contracts. Furthermore, because you cannot know the order of transactions before they are confirmed by miners, not even an outside observer can be sure about that in all cases.
This EIP adds a way to call other contracts and restrict what they can do in the simplest way. It can be safely assumed that the state of all accounts is the same before and after a static call.
Introduce a new
STATIC flag to the virtual machine. This flag is set to
false initially. Its value is always copied to sub-calls with an exception for the new opcode below.
STATICCALL functions equivalently to a
CALL, except it takes only 6 arguments (the “value” argument is not included and taken to be zero), and calls the child with the
STATIC flag set to
true for the execution of the child. Once this call returns, the flag is reset to its value before the call.
Any attempts to make state-changing operations inside an execution instance with
STATIC set to
true will instead throw an exception. These operations include
SELFDESTRUCT. They also include
CALL with a non-zero value. As an exception,
CALLCODE is not considered state-changing, even with a non-zero value.
This allows contracts to make calls that are clearly non-state-changing, reassuring developers and reviewers that re-entrancy bugs or other problems cannot possibly arise from that particular call; it is a pure function that returns an output and does nothing else. This may also make purely functional HLLs easier to implement.
This proposal adds a new opcode but does not modify the behaviour of other opcodes and thus is backwards compatible for old contracts that do not use the new opcode and are not called via the new opcode.
To be written.
Copyright and related rights waived via CC0.
Please cite this document as: